WEBVTT 00:00.840 --> 00:03.640 Hello everyone, and welcome to this lecture. 00:04.120 --> 00:11.440 In this lecture we will try to identify and extract of hidden components with the built in tools that 00:11.440 --> 00:13.760 comes with windows operating system. 00:15.240 --> 00:20.800 Now, today, most the most common use for reverse engineering is targeting malware. 00:21.320 --> 00:25.240 Like any other software, malware has its installation process. 00:25.760 --> 00:32.080 Now the difference is that it does not ask for the user's permission to install, so malware does not 00:32.080 --> 00:40.520 even install in the program files folder here under where it is supposed to. 00:42.240 --> 00:49.960 Uh, so rather tends to install malware files in folders that are not commonly entered by the user, 00:50.120 --> 00:52.440 making it hidden from being noticed. 00:52.720 --> 00:58.760 However, some malware shows up, noticed, and generates copies of itself in almost all noticeable 00:58.760 --> 01:01.280 folders such as desktop. 01:01.680 --> 01:09.560 Now its purpose to get its copy is executed by users, by it, by accidental double clicking. 01:09.560 --> 01:10.720 For a curiosity. 01:11.080 --> 01:18.360 Like, for example, if I have the Android developers here, I can change the icon of this and just 01:18.360 --> 01:23.040 double click it and the malware opens. 01:23.200 --> 01:24.800 Now, this is not a malware here. 01:25.480 --> 01:33.240 Now this is what we usually call malware presence persistence. 01:33.880 --> 01:41.280 Its purpose is to get its copies executed by users, be it by accidental double click or by curiosity. 01:43.640 --> 01:52.120 And also, uh, however, some malware shows up, uh, noticed and generated uh, copies, uh, making 01:52.120 --> 01:54.400 it, um, hidden. 01:54.640 --> 01:57.160 Uh, also almost undeletable. 01:58.440 --> 02:04.600 Now, uh, the persistence in malware is when malware consistently runs in the background. 02:04.970 --> 02:12.290 Now in this section, we will be pinpointing out general techniques used by malware to become persistent. 02:12.410 --> 02:18.730 And we will also explain common locations where malware files are stored and major behaviors of malware, 02:18.730 --> 02:25.410 and some tools that are capable of identifying how the malware installs itself in the system will also 02:25.410 --> 02:26.210 be shown. 02:26.370 --> 02:32.370 Now, understanding how malware is delivered will definitely help reverse engineer explain how the attacker 02:32.370 --> 02:42.090 was able to deliver an attacker to compromise the system. 02:42.330 --> 02:50.050 And in this section, we will learn about the basics of operating system environment, both the Windows 02:50.050 --> 02:50.770 and Linux. 02:51.210 --> 02:57.410 The typical malware behavior, which consists of malware delivery, malware persistence and malware 02:57.450 --> 03:02.370 payload, and the tools used to identify hidden components. 03:02.930 --> 03:09.890 Now, technical requirements of this lecture is mainly the built in windows tools. 03:09.930 --> 03:22.370 We will use in this lecture, but you can also get the from the Microsoft website Sysinternals suite. 03:23.130 --> 03:31.050 And here you will see mainly the troubleshooting utilities for the windows machine. 03:31.490 --> 03:31.970 Yeah. 03:32.290 --> 03:36.250 This tool set might become handy in some cases. 03:37.370 --> 03:44.370 And yeah, since uh, let's let me download and let's talk about the operating system environment here. 03:44.530 --> 03:50.650 So doing reverse engineering requires the analyst to understand where the software being reversed is 03:50.650 --> 03:51.370 being run. 03:52.650 --> 04:02.650 So the major parts that software requires in order to work in an operating system are the memory and 04:02.650 --> 04:08.580 the file system in windows operating systems, beside the memory and the file system. 04:09.500 --> 04:19.340 Microsoft introduced the registry system, which is actually stored in a protected files called Registry 04:19.500 --> 04:20.140 Hives. 04:23.500 --> 04:30.340 We will be looking at this registry editor more in next lectures, because this is very useful at identifying 04:30.420 --> 04:38.700 and seeing the hidden traces of the malware and other programs, uh, be it the games, be it like other 04:39.980 --> 04:41.420 office programs, even. 04:42.180 --> 04:48.460 And the file system, the file system is where the data is stored directly to the physical drive. 04:48.500 --> 04:58.380 Now, these file systems manage how files and directories are stored in the disk, and various disk 04:59.220 --> 05:06.100 file systems have their own variations of efficiently, uh, reading and writing data. 05:06.260 --> 05:10.500 Now there are different disk file systems such as the Just NTFS. 05:10.540 --> 05:19.620 You can see here the fat, x2, x3, x4 for the Linux, ZFS and APFs for the Mac. 05:19.820 --> 05:27.460 Now, common file systems used by the windows are NTFS and Fat32 for. 05:29.540 --> 05:37.820 Now, if we open disk management that you see here, we can see our disk partitions and the disks. 05:37.980 --> 05:40.100 You can see I have two disks. 05:40.100 --> 05:43.100 And in the disk one I have 123 partition. 05:43.140 --> 05:48.860 The one is EFI system partition which is common if you are using windows. 05:49.300 --> 05:54.900 And this is the NTFS partition my See disk and it is a I, we also have the recovery partition. 05:54.940 --> 05:56.460 Now you can see the disk zero. 05:56.500 --> 06:05.260 We have 12 gigabyte NTFS volume volume label E and we have unallocated. 06:07.540 --> 06:08.220 Partition. 06:08.220 --> 06:12.910 So by right clicking on it you can generate The new partition. 06:12.910 --> 06:17.110 You can see we can select the NTFS and Fat32. 06:17.150 --> 06:22.350 We can also allocate unit size but default is okay in most cases. 06:23.190 --> 06:24.470 Um now yeah. 06:25.790 --> 06:32.270 Uh, now the stored in the file system is information, uh, about the directory path and files. 06:32.270 --> 06:37.550 It includes the file name, size of the file and the date stamps and permissions. 06:41.710 --> 06:48.670 You can see we also edit the permissions of this uh by the users and groups. 06:50.430 --> 07:04.150 Now if we go to here and open the windows folder um and here you can see we have PFC, SFC. 07:05.390 --> 07:09.350 Now this shows the information about the file system. 07:09.990 --> 07:14.910 Uh, in about a, b, f, s, We see. 07:15.310 --> 07:17.230 You can see it's a description. 07:17.230 --> 07:26.630 Is boot file servicing utility location created modified and accessed just today. 07:27.790 --> 07:29.910 And the compatibility details. 07:29.950 --> 07:32.190 It is copyrighted Microsoft Corporation. 07:32.190 --> 07:33.350 All rights reserved. 07:33.350 --> 07:35.670 Product name is Microsoft Windows operating system. 07:36.390 --> 07:37.030 So this. 07:39.910 --> 07:42.830 Executable file seems okay because it is. 07:43.870 --> 07:46.390 Uh, let's go through the little history here. 07:46.390 --> 07:54.790 In our previous Apple Mac OS, X versions, file information and data are stored in a resource forks. 07:55.070 --> 07:57.630 So resource forks are actually deprecated. 07:57.630 --> 08:02.350 But backward compatibility still exists on recent versions of Mac OS. 08:02.750 --> 08:09.550 So a file has two forks stored in the file system the data fork and resource fork. 08:10.870 --> 08:15.920 Now the data fork contains unstructured data, while the resource fork contains structured data. 08:16.160 --> 08:22.560 The resource fork contains information such as the executable machine, code icons, shape of an alert 08:22.560 --> 08:26.640 box, strings used in the file, and so forth, so on. 08:27.320 --> 08:34.120 Now, for instance, if you wanted to back up a mac application by simply moving it to Windows Hard 08:34.120 --> 08:38.440 Drive, then moving it back, the application will no longer open. 08:38.600 --> 08:45.040 So while transferring, the only file gets transferred, but the resource fork gets stripped out of 08:45.160 --> 08:46.000 in the process. 08:46.680 --> 08:51.480 Now, simply Copy tools doesn't respect the forks in Apple Mac OS. 08:51.520 --> 08:58.480 Instead, Mac developers developed tools to synchronize files to and from external disk. 08:59.040 --> 09:08.440 So yeah, windows is basically more handy and more compatible with the copying and extracting files. 09:08.480 --> 09:14.600 Now we can copy this whole file into our desktop. 09:16.720 --> 09:18.640 And yeah, here you can see it still works. 09:21.160 --> 09:22.560 And, uh, yeah. 09:22.560 --> 09:25.120 Let's, uh, talk about the memory as well. 09:25.280 --> 09:28.400 Uh, now you can see we have the memory. 09:28.400 --> 09:30.280 I have 32GB of Ram. 09:30.480 --> 09:32.840 Now, this is my virtual machine. 09:33.080 --> 09:36.480 In my main machine, I have 64GB of Ram. 09:37.320 --> 09:45.240 Now, uh, when a windows executable executes, if you go to processes now, you can see the system 09:45.240 --> 09:46.560 allocates a memory space. 09:46.560 --> 09:51.160 For example, for the Google Chrome it is 125. 09:51.400 --> 09:59.600 So it will also if you add the new tabs now you will see it will increase like 318 340. 10:00.680 --> 10:01.160 Right. 10:02.960 --> 10:09.240 Uh, it is, uh, about how efficient the program is written and what you do about the program. 10:09.600 --> 10:12.120 It is how it defines the memory. 10:13.840 --> 10:21.450 And now this reads executable file from the disk writes it at a predefined sections and allocated memory, 10:21.450 --> 10:23.490 then loads the code to execute from there. 10:23.730 --> 10:29.210 Now this block of memory is called the process block and is linked to other process blocks as well. 10:29.250 --> 10:33.730 Basically, every program that executes consumes a memory space as a process. 10:34.970 --> 10:39.890 You can see even as little as like zero megabytes. 10:39.930 --> 10:41.570 Now, this is not a zero megabytes. 10:41.570 --> 10:50.430 Of course it will have some kind of kilobytes and it will just use bits or bytes here, but not zero 10:50.430 --> 10:51.130 kilobytes. 10:51.410 --> 10:56.170 Now you can see in the system 0.1 1.11 to 2. 10:56.210 --> 10:57.770 And yeah, that's how it is. 10:57.810 --> 10:59.810 And you can see that the most. 11:02.010 --> 11:04.490 Memory used as Google Chrome. 11:04.490 --> 11:08.810 And the second is anti-malware executable Windows Defender. 11:10.250 --> 11:14.570 Now this is the uh how you end create memory dump file. 11:14.610 --> 11:16.770 Go to details open file location. 11:16.970 --> 11:22.450 Now if you see some, uh Possible malware. 11:22.450 --> 11:27.690 You can open file location and see where it is, where it is and what it does. 11:29.050 --> 11:34.610 And yes, you can also execute the created memory dump file. 11:34.610 --> 11:38.650 And you can see we have created this open file location. 11:38.930 --> 11:39.810 And here we are. 11:40.130 --> 11:49.890 Now this will be handy in after analyzing um and yeah the most important thing in the Linux is the registry 11:49.890 --> 11:50.610 system. 11:50.610 --> 11:52.650 So in windows uh, not Linux. 11:52.650 --> 11:53.050 Sorry. 11:53.410 --> 11:58.330 Uh, in windows in Linux we, we have no registry system. 11:58.330 --> 12:03.250 It works uh, different uh, which I will explain also in next lectures. 12:04.090 --> 12:04.610 Yeah. 12:04.650 --> 12:10.810 In windows, uh, the registry is a common database that contains system wide configuration and application 12:10.810 --> 12:11.450 settings. 12:11.490 --> 12:14.250 Now examples of stored information, the registry. 12:15.090 --> 12:15.730 Let's see. 12:16.090 --> 12:24.180 Uh, so it shows the, uh, associated programs that executes specific files like Files like if we go 12:24.180 --> 12:26.860 to default application. 12:26.900 --> 12:30.620 Now if we see, for example, Google Chrome uses. 12:30.860 --> 12:32.820 HTM HTML pdf. 12:34.980 --> 12:35.340 Files. 12:35.340 --> 12:37.140 We use the Foxit pdf reader. 12:37.380 --> 12:41.500 So basically these settings store in the registry. 12:41.940 --> 12:42.500 Right. 12:42.700 --> 12:53.300 So for example the HTML files are associated with the Google Chrome PDF files are associated with Foxit 12:53.300 --> 12:54.220 PDF reader. 12:54.540 --> 13:01.900 And it will also save the associated icons uh and to specific files and folders. 13:02.500 --> 13:05.860 It will also set the software settings like uh. 13:05.860 --> 13:15.900 It can also set the uninstalling uh configurations, update sites, port ports, use product identification 13:16.420 --> 13:17.380 uh numbers. 13:18.220 --> 13:20.100 It will also use the uh. 13:20.420 --> 13:25.060 It is also used to save the user uh settings. 13:27.260 --> 13:28.940 Uh, like group profiles. 13:28.940 --> 13:32.140 Uh, and it also saves the printer. 13:32.300 --> 13:37.260 Uh, like, basically the registry is the memory. 13:37.500 --> 13:41.420 The memory that saves everything, uh, in windows. 13:42.180 --> 13:48.140 Uh, now the registry, you can see it is stored in a hive files. 13:48.180 --> 13:53.980 Uh, the list of hive files is also found in the registry itself, as can be seen here. 13:54.620 --> 14:00.980 Now, writing and reading information from the registry requires Windows Registry APIs. 14:01.020 --> 14:07.060 Now, the registry can be, uh, visually using registry editor like this. 14:08.300 --> 14:14.220 Uh, and on the left pane, the registry values are found under the name column. 14:15.540 --> 14:16.940 And, uh, yes. 14:17.140 --> 14:25.140 So for example, if we go to H key current user, uh, like uh go to software. 14:26.710 --> 14:27.630 And here. 14:27.870 --> 14:28.550 Let's see. 14:29.590 --> 14:30.350 Python. 14:30.750 --> 14:31.270 Python. 14:31.270 --> 14:31.790 Core. 14:32.750 --> 14:36.710 Now you can see the main Python documentation. 14:37.190 --> 14:37.430 Yeah. 14:37.430 --> 14:39.310 It has it is storing the something right. 14:39.350 --> 14:39.630 Yeah. 14:39.670 --> 14:42.190 The value data is here right. 14:44.350 --> 14:46.230 It is like a variable right. 14:46.630 --> 14:48.950 Executable path of the Python is here. 14:51.230 --> 14:52.590 And uh, yes. 14:52.590 --> 15:02.870 Uh, we will uh, we also I will also explain we will explain the registry editor in more detail, because 15:03.470 --> 15:10.350 the editor is your friend that reverse engineering and malware analysis and, uh, yes. 15:10.510 --> 15:12.870 Uh, that's that's it with our lecture. 15:13.030 --> 15:14.270 Uh, thank you for watching. 15:14.270 --> 15:15.790 And I'm waiting you. 15:15.790 --> 15:21.070 In the next lecture, we will talk about the typical malware behavior like persistence. 15:21.270 --> 15:24.390 Run keys for understanding the run keys. 15:24.390 --> 15:26.350 We will also use the registry editor as well. 15:27.030 --> 15:28.510 So I'm waiting you in the next lecture.